For October 2015 Patch Tuesday, Microsoft released only six security bulletins with three being rated as critical.

3 rated Critical

The three bulletins rated critical deal with remote code execution.

MS15-106 is a cumulative fix for Internet Explorer, patching multiple memory corruption, scripting engine memory corruption, elevation of privilege, and information disclosure vulnerabilities as well as a security feature bypass involving VBScript and Jscript ASLR, and a scripting engine information disclosure bug. The most severe flaws could allow for remote code execution if an attacker tricks a user into visiting a maliciously crafted site. If successfully exploited, an attacker could gain the same user rights as the current user.

MS15-108 is like a reboot of the bulletin above, except the fixes for the VBScript and Jscript scripting engines are rated critical for affected versions of Windows Vista, Windows Server 2008 and Windows 2008 server core installation option.

MS15-109 patches a flaw in Windows Shell that could allow remote code execution; it fixes the vulnerabilities “by modifying how Windows Shell and the Microsoft Tablet Input Band handle objects in memory.”

3 rated Important

MS15-107 is the cumulative patch for Microsoft Edge. The most severe flaw could allow information disclosure; the other patch is for an XSS filter bypass. The fix is rated important for Edge users on Windows 10.

Although rated as important, Qualys CTO Wolfgang Kandek says MS15-110 “deserves your attention. It addresses six issues in Office (mostly Excel) with five resulting in Remote Code Execution. An attacker would trick a user into opening an Excel sheet with an exploit for one of the vulnerabilities in order to be successful, which is not that hard if the Excel sheet is presented in an interesting context, say as relevant product information, pricing and discounts of competing vendors.”

MS15-111 is for all versions of Windows as it patches Windows kernel to prevent elevation of privilege.